Blaster Only Set to Stun

Once again, it appears that the worm authors had caught system administrators with their trousers down. Despite the availability of a patch since mid-July to fix the vulnerability exploited by W32.Blaster, the widespread infection of both business and home computers showed that in the vast majority of cases, it had not been applied. Such was the infection rate that, at its pinnacle, the worm was taking only 30 seconds to find an uninfected computer somewhere in the world.

The single, hard and irrefutable fact is that if all the infected computers had applied a patch freely available from Microsoft weeks before its release into the wild, W32.Blaster would have failed completely and utterly. However, the worm’s authors knew that the patch would not have been applied in the vast majority of cases, and wrote and released the worm. Which poses the question – after worldwide calamities such as CodeRed and Nimda, why were lessons not learned in order to protect computers against the rapid spread of such a malignant terror?

Luckily, W32.Blaster was not nearly as devastating as it could have been. Inherent flaws within its design prevented it replicating more rapidly, such as requiring two separate connections to the Internet to start infecting its host, and the sequential scanning method it used to find new hosts to infect. Other than implementing a partial Denial of Service (DoS) attack on its host, the network to which it was attached and potentially the Windows Update website, it did not attempt to delete or corrupt any user data. Being relatively benign, anti-virus vendors were confident enough to provide “clean-up kits” for infected machines, which remove the worm and returned the computer back to normal – the electronic equivalent of a couple of aspirin, a hot bath and an early-to-bed.

Nevertheless, as bad as the infection from W32.Blaster was, it could have been a lot worse. Had the worm functioned in the same way as CodeRed, causing destruction of data and utilising a single connection for infection, download and propagation, or like Nimda used both web and e-mail to distribute itself, the infection rate and the consequences of being infected would have been a lot worse. These are salient facts, which have no doubt not escaped the wily attention of the copycat virus writers.

Ultimately, of course, the blame might be placed at the feet of Microsoft, as the DCOM RPC vulnerability was of the making of their programmers. But the fact is that even programmers from Microsoft are human and as such may occasionally overlook the odd buffer overflow here and there. v As the disclaimer that you agreed to before using any software from Microsoft (including patches) helpfully points out, their software may or may not be fit for purpose, regardless of whether you use it to run your organisation’s critical financial database, drive control systems to move control rods around in a nuclear reactor, or simply e-mail friends, relatives and people you stumbled across on Friends Reunited. So the fact is that software vulnerabilities will be found, patches to fix them will be issued, and in order to maintain the security and integrity of your system, you will need to promptly apply them.

However, an organisation’s patch management strategy will not be cheap, and requires test systems, procedures, change management and back-out plans. It will require resources, including personnel and investment in training. It may even require dedicated servers to provide software updates to other servers and workstations.

In short, it requires investment, and with it recognition from budget holders within companies that patch management is important and essential enough to be taken seriously, and be a distinct and recognized element of the system administrator’s job role. Given the financial damage incurred from cleaning up after a virus outbreak with an organization, proactive patch management should be considered a sound business investment with real, tangible benefits.

The home user is equally at risk from viruses, but patch management presents an entirely different set of problems. Running Windows Update and then downloading megabytes of patches over a dial-up connection for hours is likely to cause frustration, from both the downloader and their partner who would really like to use the phone.

Broadband users are in a better position in this respect, but since the network connection is “always on”, the temptation is to leave the computer “always on” as well, thus rendering it “always vulnerable”. The solution (for both dial-up and broadband home users) is to employ a firewall solution to block incoming traffic originating from the Internet, deployed as a separate hardware or software solution, or with appropriate port filtering. With, of course, anti-virus software with recent virus definitions.

Patch management will, in the end, save you time and money. The malicious software writers are already hard at work on copy-cat versions of the current viruses and worms, no doubt aimed to cause much more damage, and probably working hard at exploiting the next generation of vulnerabilities. Next time, blaster may be set to kill.